There is the following code:
class Product < ActiveRecord::Base
validates :title, :description, :image_url, presence: true
validates :price, numericality: {greater_than_or_equal_to: 0.01}
validates :title, uniqueness: true
validates :image_url, allow_blank: true, format: {
with: %r{\.(gif|jpg|png)$}i,
message: 'URL must point to GIT/JPG/PNG pictures'
}
end
It works, but when I try to test it using "rake test" I'll catch this message:
rake aborted!
The provided regular expression is using multiline anchors (^ or $), which may present a security risk. Did you mean to use \A and \z, or forgot to add the :multiline => true option?
What does it mean? How can I fix it?
^ and $ are Start of Line and End of Line anchors. While \A and \z are Permanent Start of String and End of String anchors.
See the difference:
string = "abcde\nzzzz"
# => "abcde\nzzzz"
/^abcde$/ === string
# => true
/\Aabcde\z/ === string
# => false
So Rails is telling you, "Are you sure you want to use ^ and $? Don't you want to use \A and \z instead?"
There is more on the rails security concern that generates this warning here.
This warning raises because your validation rule is vulnerable for javascript injection.
In your case \.(gif|jpg|png)$ matches till the end of the line. So your rule will validate this value pic.png\nalert(1); as true:
"test.png\n<script>alert(1)</script>" === /\.(gif|jpg|png)$/i
# => true
"test.png\n<script>alert(1)</script>" === /\.(gif|jpg|png)\z/i
# => false
Read the acticles:
http://caiustheory.com/validating-data-with-regular-expressions-in-ruby
http://guides.rubyonrails.org/security.html#regular-expressions
The problem regexp is not in devise, but rather lives in config/initializers/devise.rb. Change:
# Regex to use to validate the email address
config.email_regexp = /^([\w\.%\+\-]+)#([\w\-]+\.)+([\w]{2,})$/i
to:
# Regex to use to validate the email address
config.email_regexp = /\A([\w\.%\+\-]+)#([\w\-]+\.)+([\w]{2,})\Z/i
The warning is telling you that strings like the following will pass validation, but it is probably not what you want:
test = "image.gif\nthis is not an image"
re = /\.(gif|jpg|png)$/i
re.match(test) #=> #<MatchData ".gif" 1:"gif">
Both ^ and $ matches the start/end of any line, not the start/end of the string. \A and \z matches the start and the end of the full string, respectively.
re = /\.(gif|jpg|png)\z/i
re.match(test) #=> nil
The second part of the warning (“or forgot to add the :multiline => true option”) is telling you that if you actually want the behaviour of ^ and $ you can simply silence the warning passing the :multiline option.
If Ruby wants to see \z instead of the $ symbol sign, for security, you need to give it to him, then the code would look like this :
validates :image_url, allow_blank: true, format: {with: %r{\.(gif|jpg|png)\z}i, message: 'URL must point to GIF, JPG, PNG.'}
Related
I am new to rails and in my models am doing some field validation and i need some help
has_many :stats
validates :name, presence: true, uniqueness: true, length: { minimum: 2 }
validates :age, presence: true
validates :title, presence: true, format: { with: ???????????????
message: "must begin with abc_ and have numbers after" }
I am stuck trying to validate title to be in the format abc_8943578945794
Is this where I should really create a method to validate?
Thanks, Nigel.
Apparently you're looking for a regular expression to match the title, try this:
with: /^[a-z]+_[0-9]+$/
Fernando Almeida's anwers is right, you need a regex to match the expected value, but for the format that "OP" have passed (abc_8943578945794), this seems more suitable:
/^[a-z]{3}_[0-9]{13}$/
The only thing that I'm doing more than his, is setting the number of digits (3) and characters (13) that the string should have.
I would use the following regexp:
with: /\Aabc_\d+\z/
Explanation:
\A # beginning of the string
abc_ # string prefix you are looking for
\d+ # one or more digits
\z # end of the string
I want to validate a Nickname but I have a lot of format like this:
validates :nickname, presence: true, unniqueness: true, format: { with: /\A[a-zA-Z0-9]+\Z/ }, format: { without: /\s/ }, format: { without: /[!-\/\#\^\~\`\(\)\[\]\>\<\=]/ }
warning: key :format is duplicated and overwritten on line 38
warning: key :format is duplicated and overwritten on line 38
Obviously down't work in this way, how can I solve it? Thank you
Your first regex covers everything:
format: { with: /\A[a-zA-Z0-9]+\Z/ }
but you probably want \z instead of \Z to avoid issues with trailing newlines. Anything that matches /\A[a-zA-Z0-9]+\z/ won't contain any space characters so the /\s/ test is already covered, similarly for the punctuation test.
Also, you've misspelled uniqueness as unniqueness so you'll want to fix that too.
That would leave you with just:
validates :nickname, presence: true, uniqueness: true, format: { with: /\A[a-zA-Z0-9]+\Z/ }
If you really did have multiple regexes to test then you could do it in a custom method:
validate :nickname_format
def nickname_format
return if(!nickname) # The `presence: true` takes care of complaining about this.
if(nickname ~! ...)
errors.add(:nickname, 'blah blah')
elsif(...)
...
end
end
so that you could check each regex individually.
I've the following regex in my model
validates :profile_name, presence:true,
uniqueness:true,
format:
{
with: /^[a-zA-Z0-9_-]+$/,
message: "Must be formatted correctly"
}
My tests are not passing because of regex. I am validating the profile name.
Here is my error log:
The provided regular expression is using multiline anchors (^ or $),
which may present a security risk. Did you mean to use \A and \z, or
forgot to add the :multiline => true option? (ArgumentError)
I think am doing right, still it is not passing. Please Help me to fix this.
Use, \A and \z instead of ^ and $ for regex:
validates :profile_name, presence:true,
uniqueness:true,
format:
{
with: /\A[a-zA-Z0-9_-]+\z/,
message: "Must be formatted correctly"
}
Read more on Regular Expressions as to why.
I trying to write a Image validation format that makes sure url ends with either .png, .jpg or .gif .
class Product < ActiveRecord::Base
mount_uploader :image_url
validates :title, :presence => true,
:uniqueness => true
validates :image_url, :presence => true,
:format => {
:with => %r{\.(gif|jpg|png)$}i,
:message => 'must be a URL for GIF, JPG or PNG image.'
}
end
But when i start my server. seeing this:
The provided regular expression is using multiline anchors (^ or $), which may present a security risk. Did you mean to use \A and \z, or forgot to add the :multiline => true option?
^ and $ are both line anchors. If a user were to pass in a string with http://www.foo.com/bar.png\nfoo_bar_baz!, then your regex is going say that the input is valid because it will match .png to the newline, which is not what you want.
Change your regex above to be %r{\.(gif|jpg|png)\z}i instead. The \z is an end of string anchor, which is what you want instead of the end of line anchor.
There are some great answers on another, very similar question: Difference between \A \z and ^ $ in Ruby regular expressions.
Making a simple Ruby on Rails app as practise that requires a user to sign up.
Everything works well until I implement regex validation on a 'profile_name' field
Here's my 'user' model:
validates :profile_name, presence: true,
uniqueness: true,
format: {
with: /^a-zA-Z0-9_-$/,
message: 'Must be formatted correctly.'
}
And yet the profile name 'jon' simply refuses to pass. Where could this error be coming from, other than my 'user' model?
You need to add brackets around the ranges so that the regex matches "any of the range" rather than "all of the range in order". Put a + on the end to allow it to match anything in the range more than once.
You also need to change your beginning and ending of lines to beginning and ending of strings!
validates :profile_name, presence: true,
uniqueness: true,
format: {
with: /\A[a-zA-Z0-9_-]+\z/,
message: 'Must be formatted correctly.'
}
Details:
\A # Beginning of a string (not a line!)
\z # End of a string
[...] # match anything within the brackets
+ # match the preceding element one or more times
Really useful resource for generating and checking regex: http://www.myezapp.com/apps/dev/regexp/show.ws
Try like this , It is working fine
validates :name, presence: true,
uniqueness: true,
format: {
with: /\A[a-zA-Z0-9_-$]+\z/,
message: 'Must be formatted correctly.'
}
I just tested your regular expression in Rubular with the 'jon'. There is no matching.
I am not optimized regular expression coder. But still the below regular expression works.
/^[a-zA-Z0-9_-]+$/
So try
validates :name, presence: true,
uniqueness: true,
format: {
with: /^[a-zA-Z0-9_-]+$/,
message: 'Must be formatted correctly.'
}